<div dir="ltr">Hi -- I posted this question to serverfault -- I think maybe I should ping this list though as I'm not sure if this is a bug:<div><br></div><div><a href="http://serverfault.com/questions/678884/realm-join-client-software-sssd-on-centos-7-joins-two-realms-one-with-sssd">http://serverfault.com/questions/678884/realm-join-client-software-sssd-on-centos-7-joins-two-realms-one-with-sssd</a><br></div><div><br></div><div><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:19px">On clean installed centos-7 host:</p><pre style="margin-top:0px;padding:5px;border:0px;font-size:13px;overflow:auto;width:auto;max-height:600px;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;word-wrap:normal"><code style="margin:0px;padding:0px;border:0px;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;white-space:inherit">realm join -U foo --client-software sssd <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
</code></pre><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:19px">After running <code style="margin:0px;padding:1px 5px;border:0px;font-size:13px;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;background-color:rgb(238,238,238);white-space:pre-wrap">realm list</code> output looks initially like this:</p><pre style="margin-top:0px;padding:5px;border:0px;font-size:13px;overflow:auto;width:auto;max-height:600px;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;word-wrap:normal"><code style="margin:0px;padding:0px;border:0px;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;white-space:inherit"><a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
type: kerberos
realm-name: <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
domain-name: <a href="http://ad.example.com">ad.example.com</a>
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %<a href="mailto:U@ad.example.com">U@ad.example.com</a>
login-policy: allow-realm-logins
</code></pre><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:19px">Showing me that I joined an active directory with sssd as I had intended -- logins work as expected both via ssh and samba.</p><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:19px">Later on (not sure what triggers or it but a system reboot guarantees it) -- the realm list output changes to this</p><pre style="margin-top:0px;padding:5px;border:0px;font-size:13px;overflow:auto;width:auto;max-height:600px;background-color:rgb(238,238,238);font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;word-wrap:normal"><code style="margin:0px;padding:0px;border:0px;font-family:Consolas,Menlo,Monaco,'Lucida Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans Mono','Courier New',monospace,sans-serif;white-space:inherit"><a href="http://ad.example.com">ad.example.com</a>
type: kerberos
realm-name: <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
domain-name: <a href="http://ad.example.com">ad.example.com</a>
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: AD\%U
login-policy: allow-any-login
<a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
type: kerberos
realm-name: <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>
domain-name: <a href="http://ad.example.com">ad.example.com</a>
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %<a href="mailto:U@ad.example.com">U@ad.example.com</a>
login-policy: allow-realm-logins
</code></pre></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">A few more details: -- after running realm join --verbose --client-software sssd --user foo <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>, I </font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif"><br></font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">(1) shutdown sssd</font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">(2) replace sssd.conf</font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">(3) rm -rf /var/lib/sss/db/*</font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">(4) restart sssd</font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif"><br></font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif">I have to do this because the active directory domain I'm joining is larger than the default ldap_idmap_range_size -- the sssd.conf I generate looks like this:</font></div><div><font face="Consolas, Menlo, Monaco, Lucida Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera Sans Mono, Courier New, monospace, sans-serif"><br></font></div><div><p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">[sssd]</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">domains = <a href="http://AD.UCSD.EDU">AD.UCSD.EDU</a></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">config_file_version = 2</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">services = nss, pam</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">[domain/<a href="http://AD.UCSD.EDU">AD.UCSD.EDU</a>]</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">ad_domain = <a href="http://AD.UCSD.EDU">AD.UCSD.EDU</a></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">krb5_realm = <a href="http://AD.UCSD.EDU">AD.UCSD.EDU</a></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">realmd_tags = manages-system joined-with-samba </p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">cache_credentials = True</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">id_provider = ad</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">krb5_store_password_if_offline = True</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">default_shell = /bin/bash</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">ldap_id_mapping = True</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">use_fully_qualified_names = True</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">fallback_homedir = /home/%d/%u</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">ldap_idmap_default_domain=<a href="http://AD.UCSD.EDU">AD.UCSD.EDU</a></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">ldap_idmap_range_size=2000000</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">ldap_search_base = dc=AD,dc=UCSD,dc=EDU</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">override_homedir=/home/%d/%u</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">dyndns_update=False</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">access_provider = ad</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"># define the sts_ad_access_filter host variable in ansible if you wish to restrict access to this host</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)"># example: sts_ad_access_filter: "(memberOf=CN=somts,OU=Share-access,OU=BusinessOffice,OU=Groups,OU=SOMTS,OU=SIO,DC=AD,DC=UCSD,DC=EDU)"</p></div><div><br></div><div><br></div><div>I also try with a realmd.conf </div><div><br></div><div><p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">[active-directory]</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">default-client = sssd</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0);min-height:19px"><br></p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">[service]</p>
<p style="margin:0px;font-size:14px;font-family:Monaco;color:rgb(245,245,245);background-color:rgb(0,0,0)">automatic-install = no</p></div><div><br></div><div>No matter what I do:</div><div><br></div><div>- realm list initially doesn't return anything about a winbind domain -- but everything works</div><div>- after reboot, realm list shows the two domains (and now I can login as either <a href="mailto:user@ad.example.com">user@ad.example.com</a> or AD\\user ...</div><div><br></div><div>Maybe this is by design -- but I suspect that something is afoot and this has me worried ... I've been re-doing clean installs trying to figure this out for hours now -- here's a snippet from my ansible config automated this if it helps anyone reproduce ...</div><div><br></div><div><pre style="background-color:rgb(12,16,33);color:rgb(248,248,248);font-family:Menlo;font-size:12pt"><span style="color:rgb(251,222,45)">---<br></span><span style="color:rgb(251,222,45)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Ensure libraries required to join Active Directory domain are installed"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">yum: </span><span style="color:rgb(97,206,60)">name={{ item }} state="present"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">with_items:<br></span><span style="color:rgb(255,100,0)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">krb5-workstation<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">realmd<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">sssd<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">oddjob<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">oddjob-mkhomedir<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">adcli<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba-common<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Ensure winbind is not present to avoid the possibility of CRAZY CONFUSION?"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">yum: </span><span style="color:rgb(97,206,60)">name={{ item }} state="absent"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">with_items:<br></span><span style="color:rgb(255,100,0)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba-winbind<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba-winbind-clients<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba-winbind-krb5-locator<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">samba-winbind-modules<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Ensure sane realmd.conf exists prior to running realm command"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">template: </span><span style="color:rgb(97,206,60)">src=sssd/realmd.conf.j2 dest=/etc/realmd.conf<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Test if we are currently part of Active Directory"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">shell: </span><span style="color:rgb(97,206,60)">"realm list"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">register: </span><span style="color:rgb(97,206,60)">domain_membership_test<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">ignore_errors: </span><span style="color:rgb(97,206,60)">True<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Join to UCSD Active directory if needed"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">when: </span><span style="color:rgb(97,206,60)">domain_membership_test.stdout.find("<a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>") == -1<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">shell: </span><span style="color:rgb(97,206,60)">"echo -n {{ foo_password_from_vault }} | realm join --user foo --verbose --client-software sssd --server-software active-directory <a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a>"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">notify:<br></span><span style="color:rgb(255,100,0)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">clear sssd cache and restart<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(174,174,174)">#- name: "Ensure appropriate krb5.conf file is deployed"<br></span><span style="color:rgb(174,174,174)"># template: src=sssd/krb5.conf.j2 dest=/etc/krb5.conf<br></span><span style="color:rgb(174,174,174)"><br></span><span style="color:rgb(174,174,174)"># a custom sssd.conf is needed rather than the one built by realm for a few reasons:<br></span><span style="color:rgb(174,174,174)"># - default ldap_idmap_range_size is too small for ucsd-ad<br></span><span style="color:rgb(174,174,174)"># - want custom ad_access_filter<br></span><span style="color:rgb(174,174,174)"># - want deterministic id mapping for @<a href="http://AD.EXAMPLE.COM">AD.EXAMPLE.COM</a> domain which requires:<br></span><span style="color:rgb(174,174,174)"># using a pre-established ldap_idmap_range_size and using ldap_idmap_default_domain which ensures that @<a href="http://ad.ucsd.edu">ad.ucsd.edu</a> will always be mapped into first domain 'slice'<br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Ensure appropriate sssd.conf is deployed"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">template: </span><span style="color:rgb(97,206,60)">src=sssd/sssd.conf.j2 dest=/etc/sssd/sssd.conf mode=0600<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">notify:<br></span><span style="color:rgb(255,100,0)"> </span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(97,206,60)">clear sssd cache and restart<br></span><span style="color:rgb(97,206,60)"><br></span><span style="color:rgb(251,222,45)">- </span><span style="color:rgb(255,100,0)">name: </span><span style="color:rgb(97,206,60)">"Ensure sssd service is enabled"<br></span><span style="color:rgb(97,206,60)"> </span><span style="color:rgb(255,100,0)">service: </span><span style="color:rgb(97,206,60)">name=sssd enabled=yes<br></span></pre></div></div>